A recent survey of CISOs by IBM found that nearly 90 percent of respondents had either already adopted or were currently planning cloud initiatives. Additionally, the cloud market as a whole is expected to grow by 126.5 percent this year, according to a CipherCloud report.
But more interestingly, both companies identified a larger question: what does security even mean heading into 2015? The CipherCloud report wrote that “understanding what ‘secure’ means to respondents can be a challenge.” Meanwhile, 82 percent of IBM’s respondents said that the very definition of security had changed in the last three years.
With those questions in mind, HackSurfer hosted a Google Hangout on cloud security featuring SurfWatch Labs chief security strategist Adam Meyer, CipherCloud global director of cloud security Willy Leichter, and IBM Distinguished Engineer and CTO for Security Solutions Nataraj Nagaratnam, Ph.D.
We discussed the change in the cybersecurity mindset, what it means for businesses, hackers, and what to expect from the cloud going forward. A few highlights of our discussion follow:
Uncertainty About What “Security” Is
Nagaratnam: “We went through the web era, the online era, when people were trying to move to the web and they were trying to figure out how to secure their web applications. They’re in the same state now.”
Leichter: “It’s huge disruption in the way IT works. … IT is fundamentally changing now from an enterprise perspective because you used to have a perimeter. You used to have your boundary. … The perimeter now has disappeared. … Now you need to think about how you’re going to add security to your own data, and it’s a real shift of mindset.”
Meyer: “Traditional security pros who are used to having a defense-in-depth kind of modes of operation are forced to stop looking at the asset and start looking at the data when a cloud initiative comes up, because the asset perspective pretty much goes outside the window. They get outside their comfort zone.”
Security Advantages of the Cloud
Meyer: “When you look at all of the recent breaches – Target, Home Depot, Sony, whatever’s the breach du jour of the day – each one of those incidents seems to always point back to lack of basic maintenance, maintenance in the form of vulnerability management, and a lot of times that’s happening because the IT departments can’t keep up with quantity of vulnerabilities coming out, sustaining their systems. They’re running a lot of projects, and they’re blowing off the maintenance if you will, and they’re stretched thin. Pushing those services to the cloud takes that aggravation off the local IT department.”
Nagaratnam: “One key trend we see out there is lack of security skills. Now you have an army of skilled people and technology and resources that the cloud provider brings on, which you cannot afford as a smaller company maybe. So in that sense, it is actually an opportunity to do security right.”
Cloud Security Issues
Leichter: “Businesses really need to get a better handle on what information is important to them, what’s potentially damaging, what they might worry about in a data breach. When all the data was all inside your network, a lot of people had a false sense of security and didn’t categorize their data well. Now when it’s outside, you’ve got to understand your data better, and you’ve got to understand the risk.”
Meyer: “Our adversaries want typically two primary things. They want privilege escalation and they want freedom of movement. … When you look at cloud initiatives, you got to answer those two questions. When I push data out to the provider, how can I validate that something malicious is not occurring? If I don’t know what normal looks like, how do I know when something abnormal is happening?”
Leichter: “There’s a huge increase in shadow IT, which means people bring their own apps to work. They bring smartphones. They access whatever they want. They’re doing all kinds of things, and it’s very hard for businesses to shut them down. You either turn off everything, which doesn’t really work, or it’s kind of the Wild West now with people using the cloud on their own.”
The Future of Cloud
Nagaratnam: “In terms of the data that they’re moving to the cloud, I believe that in 2015 there will be a much more structured way to think about it in terms of what it is that I’m doing in the cloud, what controls do I have based on the risk that I’m taking for the data that I’m moving. It’s a natural evolution and a natural next step in terms of this whole cloud adoption.”
Leichter: “Cloud adoption is not slowing down. It’s hitting the mainstream. We work with a lot of very conservative enterprises – banks, financial services, healthcare – and they are at the early stages of a mass migration of infrastructure.”
Key Takeaways From the Hangout
Meyer: “Do your data governance. Understand what the purpose of going to your cloud provider is in the first place.”
Leichter: “You really need to avoid the checkbox mentality. A lot of people have this mentality that if it says encryption on the compliance requirements my cloud provider said they’ll encrypt it so – done. … Know your data and think beyond just the letter of the law.”
Nagaratnam: “One, the cloud is actually an opportunity to do security right …[and] two, you must take a structured approach to cloud security – managing access, protecting data and gaining visibility.